ClawHub
Back to skill
v1.2.1

Dfw Content Calendar

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:36 AM.

Analysis

The skill appears to be a normal content-calendar generator, with some disclosed but under-declared API/dependency and data-flow considerations users should notice.

GuidanceBefore installing or running it, understand that demo/compliance modes can be local, but normal generation may require Python packages and an Anthropic API key. Do not include confidential customer, campaign, or engagement data unless you are comfortable with the selected LLM backend processing it.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
metadata
Required env vars: none
...
Install specifications
No install spec — this is an instruction-only skill.

Code file presence
1 code file(s):
  generate_calendar.py

The registry-level metadata under-declares the runtime shape: it says no env vars and no install spec while the package includes a Python script and SKILL.md documents Python/package/API-key requirements. No hidden install or remote script execution is shown, but the install contract is incomplete.

User impactA user may expect a purely instruction-only skill, then discover it relies on a Python script and optional provider dependencies.
RecommendationReview the included Python file before running it and ensure required packages and credentials are installed intentionally.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
requires:
  env:
    - ANTHROPIC_API_KEY
...
primaryEnv: ANTHROPIC_API_KEY

The skill documents use of an Anthropic API key for non-demo LLM generation. This is purpose-aligned, but API keys are account credentials and can incur cost or expose submitted prompts to the provider.

User impactUsing non-demo generation may use the user's Anthropic account and billing, and submitted prompt content may be handled by the LLM provider.
RecommendationSet the API key only if you intend to use Anthropic-backed generation; prefer demo/local mode for non-sensitive testing and use a key with appropriate billing/account controls.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceMediumStatusNote
generate_calendar.py
return openai.OpenAI(base_url="http://localhost:8800/v1", api_key="local"), "local"
...
return anthropic.Anthropic(), "haiku"

The code can route generation to a local OpenAI-compatible service or Anthropic. This provider/backend flow is expected for an LLM content generator, but the data boundary changes depending on the selected backend.

User impactNiche, audience, campaign details, and other prompts may be processed by either a local service or Anthropic depending on configuration and availability.
RecommendationUse local mode for sensitive business details when possible, and avoid submitting confidential customer or campaign data to a cloud backend unless that is acceptable.
Memory and Context Poisoning
SeverityInfoConfidenceHighStatusNote
SKILL.md
`--past-results=results.json` — feed in engagement data from previous runs; skill adapts theme weights toward what worked

The skill can ingest prior engagement data to influence future calendar generation. This is disclosed and purpose-aligned, but it means previous performance context can affect new outputs.

User impactOld or low-quality engagement data could bias future calendars, and sensitive performance data may be included in generation prompts.
RecommendationReview past-results files before use and avoid including confidential metrics if using a cloud LLM backend.